[Openvas-commits] r1292 - in trunk/openvas-plugins: . scripts
scm-commit@wald.intevation.org
scm-commit at wald.intevation.org
Sat Sep 6 11:16:57 CEST 2008
Author: ckm
Date: 2008-09-06 11:16:56 +0200 (Sat, 06 Sep 2008)
New Revision: 1292
Added:
trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl
Modified:
trunk/openvas-plugins/ChangeLog
trunk/openvas-plugins/scripts/version_func.inc
Log:
* scripts/gnutls_CB-A08-0079.nasl: New.
* scripts/version_func.inc: changed function find_file
to find any file on local or remote Host using locate
and/or find.
Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog 2008-09-05 21:44:03 UTC (rev 1291)
+++ trunk/openvas-plugins/ChangeLog 2008-09-06 09:16:56 UTC (rev 1292)
@@ -1,3 +1,10 @@
+2008-09-06 Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>.
+
+ * scripts/gnutls_CB-A08-0079.nasl: New.
+ * scripts/version_func.inc: changed function find_file
+ to find any file on local or remote Host using locate
+ and/or find.
+
2008-09-05 Chandrashekhar <bchandra at secpod.com>
* scripts/secpod_clamav_invalid_mem_access_dos_vuln_900117.nasl,
scripts/secpod_hp_openview_nnm_dos_vuln_900211.nasl:
Added: trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl 2008-09-05 21:44:03 UTC (rev 1291)
+++ trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl 2008-09-06 09:16:56 UTC (rev 1292)
@@ -0,0 +1,130 @@
+#
+# This script was written by Carsten Koch-Mauthe <c.koch-mauthe at dn-systems.de>
+#
+# This script is released under the GNU GPLv2
+#
+# $Revision: 01 $
+
+if(description)
+{
+
+ script_id(90026);
+ script_version ("$Revision: 01 $");
+ script_cve_id("CVE-2008-1948");
+ name["english"] = "GnuTLS < 2.2.5 vulnerability";
+ script_name(english:name["english"]);
+
+ desc["english"] = "The remote host is probably affected by the vulnerabilities described in
+CVE-2008-1948, CVE-2008-1949, CVE-2008-1950
+
+Impact
+
+ CVE-2008-1948
+ The _gnutls_server_name_recv_params function in lib/ext_server_name.c
+ in libgnutls in gnutls-serv in GnuTLS before 2.2.4 does not properly
+ calculate the number of Server Names in a TLS 1.0 Client Hello
+ message during extension handling, which allows remote attackers
+ to cause a denial of service (crash) or possibly execute arbitrary
+ code via a zero value for the length of Server Names, which leads
+ to a buffer overflow in session resumption data in the
+ pack_security_parameters function, aka GNUTLS-SA-2008-1-1.
+
+ CVE-2008-1949
+ The _gnutls_recv_client_kx_message function in lib/gnutls_kx.c
+ in libgnutls in gnutls-serv in GnuTLS before 2.2.4 continues to
+ process Client Hello messages within a TLS message after one has
+ already been processed, which allows remote attackers to cause a
+ denial of service (NULL dereference and crash) via a TLS message
+ containing multiple Client Hello messages, aka GNUTLS-SA-2008-1-2.
+
+ CVE 2008-1950
+ Integer signedness error in the _gnutls_ciphertext2compressed
+ function in lib/gnutls_cipher.c in libgnutls in GnuTLS before 2.2.4
+ allows remote attackers to cause a denial of service (buffer over-read
+ and crash) via a certain integer value in the Random field in an
+ encrypted Client Hello message within a TLS record with an invalid
+ Record Length, which leads to an invalid cipher padding length,
+ aka GNUTLS-SA-2008-1-3.
+
+References:
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1948
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1949
+ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1950
+
+Solution:
+ All GnuTLS users should upgrade to the latest version:
+
+
+Risk factor : High
+";
+
+ script_description(english:desc["english"]);
+ summary["english"] = "Determines GnuTLS < 2.2.5 vulnerability";
+ script_summary(english:summary["english"]);
+ script_category(ACT_GATHER_INFO);
+ script_copyright(english:"This script is under GPLv2");
+ family["english"] = "Local test";
+ script_family(english:family["english"]);
+ script_dependencies("gather-package-list.nasl");
+ exit(0);
+}
+
+#
+# The code starts here
+#
+
+include("version_func.inc");
+local_var ver, sec_hole, sec_proto, grep, r, i, t, l;
+
+sec_hole = 0;
+sec_proto = "GnuTLS";
+ver = NULL;
+r = NULL;
+
+ r = find_bin(prog_name:"libgnutls-config");
+ if( isnull(r) ) {
+ r = find_bin(prog_name:"gnutls-cli");
+ }
+ if( ! isnull(r) ) {
+ r[0] = chomp(r[0]);
+ ver = get_bin_version(full_prog_name:r[0], version_argv:"--version", ver_pattern:"([0-9\.]+)");
+ }
+ if(isnull(ver) || version_is_less(version:ver[0], test_version:"2.2.5") ) {
+ grep = find_bin(prog_name:"grep");
+ grep = chomp(grep[0]);
+ l = find_file(file_path:"/usr/lib64/", file_name:"libgnutls.so.*.*");
+ i = 0;
+ foreach t (l) {
+ if( "libgnutls.so" >< t ) {
+ r[i++] = t;
+ }
+ }
+ l = find_file(file_path:"/usr/lib/", file_name:"libgnutls.so.*.*");
+ foreach t (l) {
+ if( "libgnutls.so" >< t ) {
+ r[i++] = t;
+ }
+ }
+ garg[0] = "-o";
+ garg[1] = "-m1";
+ garg[2] = "-a";
+ garg[3] = string("Received zero size server name");
+ foreach binary_name (r) {
+ binary_name = chomp(binary_name);
+ if (islocalhost()) {
+ garg[4] = binary_name;
+ arg = garg;
+ } else {
+ arg = garg[0]+" "+garg[1]+" "+garg[2]+" "+raw_string(0x22)+garg[3]+raw_string(0x22)+" "+binary_name;
+ }
+ ver = get_bin_version(full_prog_name:grep, version_argv:arg, ver_pattern:"(Received zero size server name)");
+ if( isnull(ver) ) {
+ if(sec_hole == 0) {
+ security_hole(port:0, proto:sec_proto);
+ sec_hole = 1;
+ }
+ security_hole(port:0, proto:sec_proto, data:string("\nFound : ") + binary_name + string("\n"));
+ }
+ }
+ }
+exit(0);
Property changes on: trunk/openvas-plugins/scripts/gnutls_CB-A08-0079.nasl
___________________________________________________________________
Name: svn:executable
+ *
Modified: trunk/openvas-plugins/scripts/version_func.inc
===================================================================
--- trunk/openvas-plugins/scripts/version_func.inc 2008-09-05 21:44:03 UTC (rev 1291)
+++ trunk/openvas-plugins/scripts/version_func.inc 2008-09-06 09:16:56 UTC (rev 1292)
@@ -21,9 +21,9 @@
} else {
sock = ssh_login_or_reuse_connection();
if (sock) {
- r = split(ssh_cmd(socket:sock, cmd:"locate *bin/"+prog_name, timeout:20));
- whe = ssh_cmd(socket:sock, cmd:"whereis -b "+prog_name, timeout:20);
- whi = ssh_cmd(socket:sock, cmd:"which -a "+prog_name, timeout:20);
+ r = split(ssh_cmd(socket:sock, cmd:"locate *bin/"+prog_name, timeout:60));
+ whe = ssh_cmd(socket:sock, cmd:"whereis -b "+prog_name, timeout:60);
+ whi = ssh_cmd(socket:sock, cmd:"which -a "+prog_name, timeout:60);
ssh_close_connection();
} else {
r = NULL;
@@ -46,21 +46,27 @@
return (r);
}
-function find_file(file_name) {
- local_var r, sock;
+function find_file(file_name, file_path) {
+ local_var r, f, sock;
r = NULL;
if (islocalhost()) {
- r = split(pread(cmd:"locate", argv:make_list("locate", file_name)) );
+ r = split(pread(cmd:"locate", argv:make_list("locate", file_path+file_name)) );
+ if(! isnull(file_path) ) {
+ f = split(pread(cmd:"find", argv:make_list("find", file_path , "-name", file_name, "-type", "f")));
+ }
} else {
sock = ssh_login_or_reuse_connection();
if (sock) {
- r = split(ssh_cmd(socket:sock, cmd:"locate "+file_name, timeout:20));
+ r = split(ssh_cmd(socket:sock, cmd:"locate "+file_path+file_name, timeout:60));
+ if(! isnull(file_path) ) {
+ f = split(ssh_cmd(socket:sock, cmd:"find "+file_path+" -name "+file_name+" -type f"));
+ }
ssh_close_connection();
}
}
if( ("/locatedb" >< r) || ("execvp:" >< r) || ("fatal error" >< r) || ("No such file or dir" >< r) ) {
- r = NULL;
+ r = f;
}
return (r);
}
@@ -73,7 +79,7 @@
} else {
sock = ssh_login_or_reuse_connection();
if (sock) {
- r = ssh_cmd(socket:sock, cmd:full_prog_name +" "+version_argv, timeout:20);
+ r = ssh_cmd(socket:sock, cmd:full_prog_name +" "+version_argv, timeout:60);
ssh_close_connection();
}
}
More information about the Openvas-commits
mailing list